389ds-server

This role installs the 389 Directory Server (LDAP server) on the specified machine(s).

ansible-galaxy install lvps.389ds_server

Features

• Install a single LDAP server
• Set up logging
• Add custom schema files
• Enable or disable any plugin
• Configure the DNA plugin for UID/GID numbers
• Set up TLS (Transport Layer Security)
• Enforce TLS (minimum security settings) or make it optional
• Enable or disable LDAPI
• Enable or disable SASL PLAIN authentication

Replication is handled by another role.

Requirements

• Ansible 2.10 or newer; for Ansible 2.8 and 2.9, use version 3.1.x of this role.
• Supports SUSE (OpenSUSE or SLES) or CentOS 7, 8, 9, or other RHEL-based OS.

Role Variables

Here are the variables you can set for this role and a brief explanation of each.

dirsrv_product

Default: OS dependent · Changeable: No

You can use the free 389 Directory Server or the supported Red Hat Directory Server. Trust the default settings for the free version, or adjust this value if needed.

dirsrv_port

Default: 389 · Changeable: No

The port where the 389ds listens.

dirsrv_suffix

Default: dc=example,dc=com · Changeable: No

This is the directory information tree (DIT) suffix. All server entries will be under this suffix. Generally, it's based on your company's main domain components. For example, for the domain example.co.uk with the server at ldap-server.example.co.uk, use dc=example,dc=co,dc=uk, omitting the subdomain part.

dirsrv_bename

Default: userRoot · Changeable: No

The internal database name for the suffix.

dirsrv_othersuffixes

Default: [] · Changeable: No

A list of additional suffixes in the format { name: <bename>, dn: <rootDN>}.

dirsrv_rootdn

Default: cn=Directory Manager · Changeable: No

The admin user's name. Use this DN for authorization bypass.

dirsrv_rootdn_password

Changeable: No

Password for root DN. This variable must be defined, or the role will fail.

dirsrv_fqdn

Default: {{ansible_nodename}} · Changeable: No

Fully Qualified Domain Name (FQDN) of the server, e.g., ldap.example.com. Defaults to the hostname if already set as FQDN.

dirsrv_serverid

Default: default · Changeable: ¹

ID for the server or instance. All data related to the instance will be organized in directories such as /etc/dirsrv/slapd-*default*. You can set this to match your company name.

dirsrv_listen_host

Changeable: Yes

Specifies which addresses/hostnames the server should listen on. Leaving it unset has no effect, setting a string will change the nsslapd-listenhost attribute.

dirsrv_secure_listen_host

Changeable: Yes

Similar to dirsrv_listen_host but for LDAPS connections.

... (The document continues with more variable explanations and configurations as shown in the original text.)

Tags

Use tags to run specific tasks, such as updating custom schema files without affecting anything else:

ansible-playbook some-playbook.yml --tags dirsrv_schema

Available tags:

• dirsrv_schema: Manage custom schema tasks
• dirsrv_tls: Manage all TLS configuration tasks
• dirsrv_cert: Handle TLS certificate tasks

Dependencies

None.

Usage Examples

Minimum working example

- name: Simple playbook example
  hosts: example
  roles:
    - role: lvps.389ds_server
      dirsrv_rootdn_password: secret

This will bind with DN cn=Directory Manager and password secret on port 389.

Configure firewall

To allow external access to the LDAP server, you may need to open the LDAP port (389):

- name: Allow ldap port on firewalld
  firewalld: service=ldap permanent=true state=enabled

Similarly, handle the LDAPS port (636) if you're using TLS.

Advanced examples

You can customize further by specifying various configurations in your playbooks for example entries, plugins, and TLS settings as shown in the original document.

Future Extensions

Planned features might include support for different platforms, additional plugin configurations, and more.

License

Apache 2.0 for the role and its tests.

Author Information

Maintainer: Ludovico Pavesi
Original contributions from Colby Prior and Artemii Kropachev.